New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible XSS vulnerability #156
Comments
|
Tieba-Cloud-Sign/templates/control.php Line 23 in e13aa6e
Tieba-Cloud-Sign/lib/plugins.php Lines 197 to 199 in e13aa6e
这是一个没有想象中严重的漏洞,我们在前面设置了权限检查挡住了非admin用户的访问,此外文件存在性检查会确保不存在的插件不会被加载,因此触发这个漏洞的需要:
感谢您的反馈,我们将会在晚些时候进行修复 translated by deepl.com Tieba-Cloud-Sign/templates/control.php Line 23 in e13aa6e
Tieba-Cloud-Sign/lib/plugins.php Lines 197 to 199 in e13aa6e
This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability
Thank you for your feedback, we will fix it later |
礼貌问询deepl.com中译英和英译中效果怎么样 |
您已经看到了 |
|
CVE-2022-28920 is assigned for this vulnerability. |
|
This is the first CVE assigned to tc in its seven years history. |
Hello,
I would like to report for XSS vulnerability.
In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.
Then, there is an echo in line 62.
strip_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.
The text was updated successfully, but these errors were encountered: